Merge pull request #391 from DaveYesland/enhancement-module/add_akid_…

…decoder_and_module Enhancement module/add akid decoder and module
RhinoSecurityLabs · Jan 9, 2024 · 2a2f50d · 2a2f50d
2 parents a86435e + faca698
commit 2a2f50d
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 0 deletions.
diff --git a/pacu/modules/iam__decode_accesskey_id/__init__.py b/pacu/modules/iam__decode_accesskey_id/__init__.py
diff --git a/pacu/modules/iam__decode_accesskey_id/main.py b/pacu/modules/iam__decode_accesskey_id/main.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+import argparse
+from pacu.utils import decode_accesskey_id
+
+module_info = {
+    'name': 'iam__decode_accesskey_id',
+    'author': 'Rhino Security Labs',
+    'category': 'enum',
+    'one_liner': 'This module decodes an access key ID to get the AWS account ID. Based on: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489',
+    'description': 'This module decodes an access key ID to get the AWS account ID without making and AWS API calls. Based on: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489',
+    'services': ['IAM'],
+    'prerequisite_modules': [],
+    'external_dependencies': [],
+    'arguments_to_autocomplete': [],
+}
+
+parser = argparse.ArgumentParser(add_help=True, description=module_info['description'])
+
+parser.add_argument('access_key_id', nargs='?', default='', help='The access key ID to decode. If not provided, the current access key ID for the current profile will be used.')
+
+
+def main(args, pacu_main):
+
+    key_info = pacu_main.key_info
+    args = parser.parse_args(args)
+
+    user = key_info()
+
+    if args.access_key_id:
+        accesskey_id = args.access_key_id
+    else:
+        accesskey_id = user['AccessKeyId']
+
+    data = decode_accesskey_id(accesskey_id)
+    return data
+
+
+def summary(data, pacu_main):
+    return f"Account ID: {data}"
diff --git a/pacu/utils.py b/pacu/utils.py
@@ -2,6 +2,9 @@
 import sys
 import typing
 import zipfile
+import base64
+import binascii
+import re
 from pathlib import Path
 from typing import Optional, Union
 
@@ -96,3 +99,25 @@ def zip_file(file_path: Path, file_data: dict) -> bytes:
 
     with open(file_path, 'rb') as f:
         return f.read()
+
+
+def decode_accesskey_id(AWSKeyID):
+    '''
+    Taken from: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489
+    AWSKeyID is the AWS Access Key ID
+    This function returns the AWS Account ID
+    '''
+    regex = re.compile('(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9])')
+    if not regex.match(AWSKeyID):
+        print('Invalid AWS Access Key ID')
+        return
+
+    trimmed_AWSKeyID = AWSKeyID[4:]
+    x = base64.b32decode(trimmed_AWSKeyID)
+    y = x[0:6]
+
+    z = int.from_bytes(y, byteorder='big', signed=False)
+    mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False)
+
+    e = (z & mask) >> 7
+    return ("{:012d}".format(e))